How to Build Assessment Tool to Combat Money …

1 The objective of this white paper is to offer specific considerations and suggestions for how the internal audit department can design a firm-wide AML risk Assessment tool that: 1. improves the auditor s ability to identify relevant AML risks; 2. sets the foundation for thoughtful and supported risk determinations; and 3. produces results that can assist in the development of an audit plan that satisfies regulatory expectations for deterring Money laundering and terrorist financing. How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing EQUIPPING YOUR LAST LINE OF DEFENSE A white paper by Jonathan Estreich December 2013 How to Build an Audit Risk Assessment Tool to | Combat Money Laundering and Terrorist Financing 2 | Page equipping your last line of defense The views expressed in this paper are those of the author, and the author alone.

2 The author is not necessarily representing the views or opinions of JPMorgan Chase. TABLE OF CONTENTS EXECUTIVE SUMMARY .. 3 INTRODUCTION .. 3 Regulatory expectations are high and the auditor s role is evolving .. 3 The audit plan reflects whether Audit is on track in the eyes of the regulators .. 5 Audit s risk Assessment process drives the audit plan .. 5 There is a difference between an Audit AMLRA and other AML risk assessments .. 6 Assumptions .. 7 DEVELOPING AN AUDIT AML RISK Assessment TOOL .. 7 Overview .. 7 A closer look .. 8 THE SUPPORT FRAMEWORK: Investing in Audit s risk Assessment process .. 25 INTERPRETING AND USING RESULTS: The audit plan and beyond.

3 27 TAKEAWAY: The risk Assessment design can better equip Audit .. 28 APPENDICES .. 30 A Overview of considerations .. 30 B Examples of considerations .. 31 C References .. 35 D Helpful resources for rating and scoring .. 37 E Acronyms and terms used throughout this paper .. 37 F About the author .. 39 How to Build an Audit Risk Assessment Tool to | Combat Money Laundering and Terrorist Financing 3 | Page equipping your last line of defense EXECUTIVE SUMMARY For reference purposes herein, Bank Secrecy Act ( BSA ), anti Money laundering ( AML ), Office of Foreign Assets Control ( OFAC ) and sanctions will be referred to collectively as AML.

4 The primary objective of this white paper is to offer specific considerations and suggestions for how a financial institution s internal audit department ( Audit ) can design a firm wide AML risk Assessment ( AMLRA ) tool that: 1. improves the auditor s ability to identify relevant AML risks; 2. sets the foundation for thoughtful and supported risk determinations; and 3. produces results that can assist in the development of an audit plan that satisfies current regulatory expectations for deterring Money laundering and terrorist financing. Internal audits are critical for proactively identifying deficiencies and for ensuring that financial institutions ( FIs ) maintain AML functions and programs that are aligned with supervisory requirements and examiner expectations.

5 The selection of these audits as represented by an audit plan is the primary roadmap for AML testing activities and is often determined by a risk Assessment . A notable challenge relating to the compilation of an audit plan that effectively captures AML risk lies with the initial design of the risk Assessment tool1, which should, at a minimum, produce meaningful results that the audit department can interpret, analyze and use to Build an appropriate risk based plan. Most FIs that perform a wide range of activities across a number of separate business lines, legal entities and jurisdictions have or are expected to have a risk Assessment process that can assist with their audit planning.

6 The degree to which this process focuses on AML and complies with regulatory expectations varies from institution to institution. The content provided herein is intended to offer guidance for enhancing or constructing a risk Assessment tool that delivers helpful direction to the audit department in evaluating its FI s AML risks and controls, as well as in documenting decisions. This white paper is not intended to detail the complete process of a risk Assessment , but rather to describe how to work within Audit s existing risk Assessment framework to ensure that the AML component is developed and represented appropriately. A strong and well designed tool should equip the auditor to identify risk and to demonstrate and evidence how risk ratings and related conclusions were derived.

7 *The views expressed in this paper are those of the author, and the author alone.* INTRODUCTION Regulatory expectations are high and the auditor s role is evolving The requirements for AML compliance programs and related internal AML controls have remained, for the most part, consistent with past regulatory statutes and guidance such as the BSA [12 CFR ] and the USA PATRIOT ACT [section 352]. However, within the past five years, the financial services industry has experienced noticeable changes in the articulation of regulatory expectations regarding the adequacy and overall view of internal controls. Concurrently, there has been a significant increase in both the frequency and severity of enforcement actions among the world s largest and most reputable financial corporations.

8 Advances in technology and an expansion of sophisticated products and delivery systems may be partially responsible for the changing environment. These developments have not only provided additional banking opportunities but have also resulted in more complex financial relationships and have compelled Money launders to become smarter and more creative. Nonetheless, despite the 1 The term tool will be used herein to represent the mechanism (such as a basic template or system) used by the FI to organize, record, assess and rate AML risks. The tool can be a sophisticated system or a simple spreadsheet, as well as any accompanying guidance.

9 How to Build an Audit Risk Assessment Tool to | Combat Money Laundering and Terrorist Financing 4 | Page equipping your last line of defense many possible impetuses for the increased legal force, it is clear that there has been a shift in the accepted standard for sound banking practices. Between the years 2010 and 2013, there have been over twenty five AML related consent orders, written agreements and cease and desist orders and more than $900 million in fines2. According to a report issued by the Senate, recent prosecutions and legal actions relating to OFAC violations between 2010 and 2012 have amounted to over $ billion, involving well known financial institutions3.

10 Based on metrics from the Department of the Treasury, OFAC related penalties and settlements between January 2, 2013 and October 25, 2013 totaled $12,875,278 4. In a recent industry paper, Kenneth Simmons5 analyzed BSA examination results of 137 financial institutions that were issued reports between September 2009 and March 2013; these results reflected that, as of April 2013, there were more than 202 open Matters Requiring Attention ( MRAs ) that related to the four pillars of an AML program (audit, internal controls, training and the BSA officer). Of all MRAs reviewed, of outstanding MRAs referenced internal control failures.